gerrit.opnfv Code Review - apex-puppet-tripleo.git/log

Add a flag to rabbitmq so that we can deploy with ha-mode: all again

In change Ib62001c03e1e08f58cf0c6e0ba07a8879a584084 we switched the
rabbitmq queues HA mode from ha-all to ha-exactly. While this gives us a
nice performance boost with rabbitmq, it makes rabbit less resilient to
network glitches as we painfully found out via
https://bugzilla.redhat.com/show_bug.cgi?id=1441635.

Will propose another THT change to actually change the default to
-1 so we get this ha-mode:all by default.

Change-Id: I9a90e71094b8d8d58b5be0a45a2979701b0ac21c
Partial-Bug: #1686337
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
Co-Authored-By: John Eckersberg <jeckersb@redhat.com>
(cherry picked from commit c504d6a8591bcf12e31d97a62222d7611941b136)

Merge "Refactor SSHD config to allow both SSHD options and banner/motd to be set" into stable/ocata

Merge "Update Gemfile to pull spec_helper from stable/ocata" into stable/ocata

Merge "Stop SSHD profile clobbering SSH client config" into stable/ocata

Merge "SSHD Service extensions" into stable/ocata

Merge "Move gnocchi wsgi configuration to step 3" into stable/ocata

Update Gemfile to pull spec_helper from stable/ocata

It was missed after Ocata release, but we need to do it to pull
the right version of puppet-openstack_spec_helper.

Change-Id: Ieab0a99ea3491bd8bb6985318ff630442e9be353

Merge "Configure migration SSH tunnel" into stable/ocata

Refactor SSHD config to allow both SSHD options and banner/motd to be set

In https://review.openstack.org/#/c/444622/7 the sshd_options and banner/motd
are mutually exclusive. This patch, and the next patchset of that review,
resolves the conflict.

Related-Bug: 1668543

Change-Id: I1d09530d69e42c0c36311789166554a889e46556
(cherry picked from commit 3c49f51c8f42472d0d1cb2986b46a6c96821293a)

Stop SSHD profile clobbering SSH client config

Including the ::ssh manifest will manage both client and server config.
Managing the client config was not intended and will clobber the OS
default config with the puppet ssh moduled defaults.

Follow up for https://review.openstack.org/443113 where I found the issue after
the changes merged.

Change-Id: I6329f5ebbe8fc3950449e325e56293872d11e1b5
Related-Bug: 1668543
(cherry picked from commit 2a329d545d0e619c88c323148d5fe2098e70b4b1)

SSHD Service extensions

This change adds an `include` statement to bring in the extra
functionality available from the existing puppet-ssh module in
already available in RDO.

By using puppet-ssh it provides a framework to allow the passing in of
server options using just hiera values under ssh::server_options.
For example, sshd_config banner can now be passed a server option, as
well as all the new parameters outlined in the launchpad issue that
the patch references for Closing. For this reason, the former augeas
setting for `Banner /etc/issue` is now managed by the main puppet-ssh
module instead.

The change also allows population of MOTD text to `/etc/motd` as
well as `issue.net`.

$bannertext is refactored in accordance with patch [1]

[1] https://review.openstack.org/#/c/442406/

Change-Id: Id329538fb7b623526f1d91d8a513cf3440c86a7c
Related-Bug: 1668543
(cherry picked from commit b35bc80ac2acf18463e4c18c8360862749aa0964)

Merge "Move ceilometer wsgi to step 3" into stable/ocata

Configure migration SSH tunnel

This patch configures SSH tunneling for nova cold-migration and reuses the
tunnel for libvirt live-migration unless TLS has been enabled.

Change-Id: I367757cbe8757d11943af7e41af620f9ce919a06
Depends-On: Iac1763761c652bed637cb7cf85bc12347b5fe7ec
(cherry picked from commit ccbcd11276c7bc3ffc8f013d9a5b2d3944bf76cf)

Ensure we configure ssl.conf

Every time we call apache module regardless of using SSL we have to
configure mod_ssl from puppet-apache or we'll hit issue during package
update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains
Listen 443 while apache::mod::ssl just configures SSL bits but does not
add Listen. If the apache::mod::ssl is not included the ssl.conf file is
removed and recreated during mod_ssl package update. This causes
conflict on port 443.

Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8
Related-Bug: 1682448
Resolves: rhbz#1441977
(cherry picked from commit 9e729c0db22865d036860346eb6b81c4c2108719)

Merge "Enable creation of keystone domain when ldap backends are created" into stable/ocata

Merge "Migrate Swift ring handling from tripleo-heat-templates to puppet-tripleo" into stable/ocata

Move ceilometer wsgi to step 3

Apache is configured in step 3 so if we configure ceilometer in step 4,
the configuration is removed on updates. We need to configure it in step
3 with the other apache services to ensure we don't have issues on
updates.

Change-Id: Icc9d03cd8904c93cb6e17f662f141c6e4c0bf423
Related-Bug: #1664418
(cherry picked from commit 890178bd6f6f465ffcb8cf4ad9b8019a1d6dc653)

Move gnocchi wsgi configuration to step 3

We configure apache in step3 so we need to configure the gnocchi api in
step 3 as well to prevent unnecessary service restarts during updates.

Change-Id: I30010c9cf0b0c23fde5d00b67472979d519a15be
Related-Bug: #1664418
(cherry picked from commit 9de4c92571fdbe342a20a68e4ee44feb55464007)

Restrict mongodb memory usage

Currently, mongodb has no limits on how much memory
it can consume. This enforces restriction so mongodb
service limits through systemd.

The puppet-systemd module has support for limits. The
MemoryLimit support is added in the follwoing pull
request https://github.com/camptocamp/puppet-systemd/pull/23

Closes-bug: #1656558

Change-Id: Ie9391aa39532507c5de8dd668a70d5b66e17c891
(cherry picked from commit 3aa86a4ea3c2406f79d6283cbb158f67136b5e9a)

Merge "Add missing octavia auth include to keystone manifest" into stable/ocata

Migrate Swift ring handling from tripleo-heat-templates to puppet-tripleo

This allows decoupling the Swift ringbuilding logic from the Controller
and ObjectStorage roles. A follow up patch will modify
tripleo-heat-templates and use this modified class.

Actually this downloads the Swift rings even if ring building is
disabled or if there is no need to rebalance. This is required, because
operators can disable ring building, but use the same mechanism to
distribute pre-built rings to the nodes.

If ring building is disabled, these won't be uploaded at the end back to
the undercloud.

Related-Bug: 1665641
Change-Id: Ifd6fa5b398d98e8998630ea0c9a2ce9867ceba2b
(cherry picked from commit 3412150d91dc7fe6e9f168b4ffdbb4d54c39fc55)

Enable creation of keystone domain when ldap backends are created

This sets the flag create_domain_entry for the ldap_backend resource,
which will create the domain for the ldap backend (this was previously
not the case since only the configuration was created). Furtherly, this
flag will also refresh the keystone server, so the changes come into
effect.

Note that this is only done in step 3, so the domains are created there
and the refresh happens in that step. Also, this is only done for the
bootstrap node, since when the other nodes start, they will already have
the domains available in the keystone database and there won't be a need
to restart.

Related-Bug: #1677603
Depends-On: Ib6c633b6a975e4b760c10a2aef3c252885b05e28
Change-Id: Id879cf5c5ae39d37bf58b73c78733001d2b03d9c
(cherry picked from commit 13ea87e658e36d1afcc3e4db7f43bcfc068e1f49)

syntax error extra comma in rabbitmq.pp

bundle rake syntax

Could not parse for environment *root*: Syntax error at ')'; expected '}'

Change-Id: Idfb254df068b3d7342a6ea3c71dabd1316a61bdf
(cherry picked from commit 33e0fe959d849acdab4b084ffd31d242c58ff6b6)

Add missing octavia auth include to keystone manifest

This patch adds the appropriate include to make sure that appropriate
keystone user, services, etc. are created when octavia is selected.

Closes-bug: #1680588

Change-Id: I0b6d657a0300538292223923d8808c23f936c193
(cherry picked from commit 23e723255cf46fd730cae185a0dc1f7194a511e0)

Merge "Make the cluster-check property configurable" into stable/ocata

Add a trigger to call ldap_backend define

Ldap_backend is a define so we need a resource to talk it. If
ldap_backend_enable set by tripleo-heat-templates, we call the
ldap_backend as a resource.

Given an environment such as the following:

parameter_defaults:
  KeystoneLdapDomainEnable: true
  KeystoneLDAPBackendConfigs:
    tripleoldap:
      url: ldap://192.0.2.250
      user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com
      password: Secrete
      suffix: dc=redhat,dc=example,dc=com
      user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com
      user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)"
      user_objectclass: person
      user_id_attribute: cn
      user_allow_create: false
      user_allow_update: false
      user_allow_delete: false
  ControllerExtraConfig:
    nova::keystone::authtoken::auth_version: v3
    cinder::keystone::authtoken::auth_version: v3

It would then create a domain called tripleoldap with an LDAP
configuration as defined by the hash. The parameters from the
hash are defined by the keystone::ldap_backend resource in
puppet-keystone.

More backends can be added as more entries to that hash.

Partial-Bug: 1677603
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Co-Authored-By: Guillaume Coré <gucore@redhat.com>
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
Change-Id: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db
(cherry picked from commit b8388e378a9151bccbac0db0478b1ef5d1e2e3fb)

Make the cluster-check property configurable

This change will make the global cluster-check property configurable
and will pick a lower default (60s) in case a pacemaker remote node
is deployed.

The cluster-recheck-interval is set to default to 15minutes by
pacemaker. This value is too high when a pacemaker remote service
is deployed. With this default value a reboot of a pacemaker remote
node will be reported as offline by pacemaker for up to 15minutes.

With this change we do the following:
1) Do nothing in case pacemaker remote is not deployed
2) When pacemaker remote is deployed and the operator has not
specified otherwise, we set the recheck interval to 60s.
3) When the operator specifies the recheck interval we set that.

Change-Id: I900952b33317b7998a1f26a65f4d70c1726df19c
Closes-Bug: #1679753
(cherry picked from commit f464e9f703b824f8971ade50c32884748caffefc)

Merge "Fixes missing neutron base in sriov" into stable/ocata

Deploy WSGI apps at the same step (3)

So we avoid useless apache restart and save time during the deployment.

Note: the backport is not 100% clean as Heat API was not deployed in
WSGI during Ocata cycle, so now, it's only for Aodh.

Related-Bug: #1664418
Change-Id: Ie00b717a6741e215e59d219710154f0d2ce6b39e
(cherry picked from commit 2272bcabba8752cd1876f85b1f9b83b0c7592c94)

Merge "Fix deprecated eqlx parameters" into stable/ocata

Fixes missing neutron base in sriov

This causes issues in deployments that is not using ML2
ComputeNeutronCorePlugin or OVS agent on the compute nodes.

Closes-Bug: 1679202

Change-Id: I9cdfd115add8c0d2d3ae6802e7bde007c1677c67
Signed-off-by: Tim Rozet <trozet@redhat.com>
(cherry picked from commit 1b93ca14c4d58c360424fbf34f669014b34d3b4b)

Merge "Add tunnel timeout for ui proxy container" into stable/ocata

Decouple ceilometer user create from API

Ceilometer user is needed for other ceilometer services to
authenticate with keystone even when API is not present.
So the data can be dispatched to gnocchi. Lets keep these
separate so user always exists even when api is not.

Depends-On: Iffebd40752eafb1d30b5962da8b5624fb9df7d48

Closes-bug: #1677354

Change-Id: I8f4e543a7cef5e50a35a191fe20e276d518daf20
(cherry picked from commit 38e4976b7b80487e26c75ece20bab631597240a3)

Add tunnel timeout for ui proxy container

Add an explicit tunnel timeout configuration option to increase the
tunnel timeout for persistent socket connections from two minutes (2m)
to one hour (3600s). A configuration was already present to apply a
tunnel timeout to the zaqar_ws endpoint, but that only applies to
connections made directly to the zaqar_ws endpoint directly. Since UI
now uses mod_proxy to proxy WebSocket connections for Zaqar, the timeout
is now applied for the same reasons to the ui haproxy server.

Change-Id: If749dc9148ccf8f2fa12b56b6ed6740f42e65aeb
Closes-Bug: 1672826
(cherry picked from commit e8125cb3640e0fe74b8617aaf55686d5645c8f7f)

Move horizon to step 3

We configure apache in step 3 so horizon should be configured at the
same time or else updates will cause horizon to be unvailable during the
update process.

Change-Id: I4032f7c24edc0ff9ed637e213870cdd3beb9a54e
Closes-Bug: #1678338
(cherry picked from commit e2928717412242faa4eb15d778f1b5c0952edc08)

Fix deprecated eqlx parameters

The eqlx_use_chap, eqlx_chap_login and eqlx_chap_password were
previously deprecated and are scheduled to be removed in Pike. This
change updates these parameters to use the replacement params.

See I295d8388ba17dd60e83995e7c82f64f02a3c4258 for more details.

Change-Id: I0f229ed2e7bb65d9da81c5caa69dbe1a4aded814
(cherry picked from commit 9cd4ddce32b4f14e7f6168416fcaee26a64f7a90)

Check rabbitmq user at step >= 2

The rabbitmq user check is moved to step >= 2 from step >= 1. There is
no gaurantee that rabbitmq is running at step 1, especially if updating
a failed stack that never made it past step 1 to begin with.

Change-Id: I029193da4c180deff3ab516bc8dc2da14c279317
Closes-Bug: #1675194
(cherry picked from commit aa9af086f05e466e88ac2a85ecc9d39f5a6d1e2f)

Merge "Add missing include of ::ec2api::keystone::authtoken" into stable/ocata

Merge "Re-run gnocchi and ceilometer upgrade in step 5" into stable/ocata

Add missing include of ::ec2api::keystone::authtoken

Change-Id: Id933276fab16eebd72751dca136ad805547e6291
Related-Bug: #1676491
(cherry picked from commit f137661aa178a6b390976470ddec7ed77eb05cf5)

Re-run gnocchi and ceilometer upgrade in step 5

Without this gnocchi resources types are not created
as they are skipped initially and the resources from
ceilometer wont make it to gnocchi.

Closes-bug: #1674421

Depends-On: I753f37e121b95813e345f200ad3f3e75ec4bd7e1

Change-Id: Ib45bf1b3e526a58f675d7555fe7bb5038dadeede
(cherry picked from commit aec471a78d46d839e98026c4cb98acb412a7b424)

Ensure iscsi-initiator-utils installed

We attempt to use iscsi-iname in an exec for our nova compute profile
but we do not ensure that the package providing this command is
installed. This change adds the package definition for
iscsi-initiator-utils to ensure it is installed before trying to use
iscsi-iname.

Change-Id: I1bfdb68170931fd05a09859cf8eefb50ed20915d
Closes-Bug: #1675462
(cherry picked from commit 2102a610c14d357f99a531250e676d6366559212)

Merge "Correct haproxy's stat unix socket path" into stable/ocata

Merge "Explicitly configure credentials used by ironic to access other services" into stable/ocata

Merge "Fixes issues with raising mysql file limit" into stable/ocata

Correct haproxy's stat unix socket path

We currently set the haproxy stat socket to /var/run/haproxy.sock.
On Centos/RHEL with selinux enabled this will break:

avc: denied { link } for pid=284010 comm="haproxy"
name="haproxy.sock" dev="tmpfs" ino=330803
scontext=system_u:system_r:haproxy_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file

The blessed/correctly-labeled path is /var/lib/haproxy/stats

Note: I am setting only Partial-Bug because I would still like
to make this a parameter so other distros may just override the path.
But that change is more apt for pike and not for ocata.

Change-Id: I62aab6fb188a9103f1586edac1c2aa7949fdb08c
Patial-Bug: #1671119
(cherry picked from commit 5f8607711bb85150bb9631559f0538254ba5c5cc)

panko: Do db_sync in api manifest

The db_sync from panko comes from the panko-api package; So we move the
db_sync to be done in the api manifest as it's done for other services
such as barbican.

This is necessary since in cases where the overcloud deploy requires
puppet to do the installations, with the previous setup it failed since
the command wasn't available in the step it was being done.

Change-Id: I20a549cbaa2ee4b2c762dbae97f5cbf4d0b517c8
Closes-Bug: #1671716
(cherry picked from commit d73c2630b534b277122db68620be8923c4d3a6b4)

Explicitly configure credentials used by ironic to access other services

Using keystone_authtoken credentials for this purpose is deprecated, and also
prevents ironic-conductor from being used as a separate role.

As a side effect, this change makes it possible to potentially enable
ironic-inspector support in the future (it's not enabled yet).

Change-Id: I21180678bec911f1be36e3b174bae81af042938c
Partial-Bug: #1661250
(cherry picked from commit ffe6ae2c24f82df620df14ee4be8bd292cb95075)

Fixes issues with raising mysql file limit

Changes Include:
- Adds spec testing
- Only raise limits if nonha.  puppet-systemd will restart the mariadb
   service which breaks ha deployments.  Hence we only want to do this
   in noha.
- Minor fix to hiera value refrenced not as parameter to mysql.pp

Partial-Bug: #1648181
Related-Bug: #1524809

Co-Authored By: Feng Pan <fpan@redhat.com>

Change-Id: Id063bf4b4ac229181b01f40965811cb8ac4230d5
Signed-off-by: Tim Rozet <trozet@redhat.com>
Signed-off-by: Feng Pan <fpan@redhat.com>
(cherry picked from commit c9acf8a687ea64686c1ecceeff45add014752121)

Add bindep support

Bindep is an automation tool used by openstack-infra to bootstrap a
worker with default packages. Something not needed for puppet jobs.

Change-Id: I6b4784c233a2abad01da3408f131af2c89586868
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
(cherry picked from commit cc3d236ce409041d606d717a61d098d39185b70d)

Throw warnings for norpm actions

If the norpm provider attempts to do any install/update/remove actions,
we should throw a warning in the logs so people are aware that the
action did not actually take place.

Change-Id: Ieee5cac3412c709ba6b39316e455d7708cc9d22e
Closes-Bug: #1669666
(cherry picked from commit 2be36167fd223d95a71d557afa9d26bf950e21c8)

Stop the chronyd service

Since the norpm provider can prevent the chronyd package from actually
getting purged, we need to make sure the chronyd service is stopped and
disabled so that it does not conflict with ntpd.

Change-Id: I7a697aba7aa5a27ba4ab6e46018057f7f01dfab2
Closes-Bug: #1665426
(cherry picked from commit 37ba3a8db5e38955469e8bc9158388379d64abc8)

Merge "mariadb: Move generation of systemd drop-in to puppet-tripleo" into stable/ocata

mariadb: Move generation of systemd drop-in to puppet-tripleo

Systemd starts mariadb as user mysql, so in order to allow a large
number of connections (e.g. max_connections=4096) it is necessary to
raise the file descriptor limit via a system drop-in file.

When installing an undercloud, such drop-in file is currently
generated by instack-undercloud (in file puppet-stack-config.pp). But
non-HA overcloud also need such drop-in to be generated.

In order to avoid duplicating code, the drop-in creation code should
be provided by puppet-tripleo. By default, no drop-in is generated;
it has to be enabled by instack-undercloud or tripleo-heat-template
once they will use it (resp. to create undercloud or non-HA overcloud).

This patch does not aim at generating a dynamic file limit based on
the number of connections, this should land in another dedicated
patch. Instead, it just reuses the limit currently set for undercloud
and HA-overclouds.

Also, the generation of the drop-in does not force a mysql restart
like it currently does in instack-undercloud, to avoid unexpected
service disruption on a non-HA overcloud after a minor update.

Co-Authored-By: Tim Rozet <trozet@redhat.com>
Depends-On: I7ca7b5f7614971455cae2bf7c4bf8264b642b0dc

Change-Id: Ia0907b2ab6062a93fb9363e39c86535a490fbaf6
Partial-Bug: #1648181
Related-Bug: #1524809
(cherry picked from commit 09665170f6d0f4536a48dd4d1444e07aa064bed7)

Default neutron dhcp_agents_per_network to number of agents

This patch will set neutron's dhcp_agents_per_network equal to the
number of deployed neutron DHCP agents unless otherwise explicitly set.

Conflicts:
manifests/profile/base/neutron.pp

Note: spec/classes/tripleo_profile_base_neutron_spec.rb removed from
backport as it required defining the neutron class as a precondition to
satisfy a requirement for a rabbit password. This leads to a duplicate
definition.

Partial-bug: #1632721
Change-Id: I5533e42c5ba9f72cc70d80489a07e30ee2341198
(cherry picked from commit 52a68ffc8f060e1961458a524e5861cea02d1c1c)

Prepare 6.3.0 - Ocata RC2

Change-Id: I38a6bff942321d545de8abab073feae36f58cb06

Merge "Create /etc/my.cnf.d/tripleo.cnf with proper bind-address" into stable/ocata

Stop accidentally removing docker-distribution

By default Puppet does virtual package matching if precise name matching
fails. Docker-distribution RPM "provides" docker-registry:

bash-4.2# rpm -q --whatprovides docker-registry
docker-distribution-2.5.1-1.el7.x86_64

This means that when we wanted to make docker-registry package absent,
we were actually removing docker-distribution instead. This is now fixed
by allow_virtual => false. Only name matching is performed.

Change-Id: I1f93b404085f0bc2b6c063f573c801db6409c0bb
Closes-Bug: #1666459
(cherry picked from commit d12c004bc9c630c756a6b0df351916b9e04b9778)

Create /etc/my.cnf.d/tripleo.cnf with proper bind-address

When fixing LP#1643487 we added ?bind_address to all DB URIs.
Since this clashes with Cellsv2 due to the URIs becoming host
dependent, we need a new approach to pass bind_address to pymysql
that leaves the DB URIs host-independent.

We first create a /etc/my.cnf.d/tripleo.cnf file with a [tripleo]
section and in this section we add the correct bind-address option.
Note that we use the puppet augeas lens and not the mysql one
because the mysql one does not support custom sections *and* there
are older versions around which do not like the /etc/my.cnf.d/* path.

The reason for not reusing an existing mariadb file (my.cnf or
galera.cnf) is that pymysql's ini file support is not robust
enough at the moment: https://github.com/PyMySQL/PyMySQL/issues/548

The reason for putting this file creation code only on the controller
nodes the following: The slow VIP failover only happens if a
service runs where the VIPs exist. The VIPs get created in the
haproxy profile and that is why in order to have fast VIP failovers
the MySQLClient profile must live where the Haproxy service is running.

Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
Partial-Bug: #1663181
Change-Id: Iff8bd2d9ee85f7bb1445aa2e1b3cfbff1f397b18
(cherry picked from commit f6116ff0f350aeecdaa346e4e49d208be49ce6b9)

Enable languages in UI config

Which language options to offer to the UI users is determined in the
configuration file. Let's show all possible languages by default,
unless specified otherwise.

Change-Id: I513303bf82dca53e2291ab66f2385a2985a1846e
Related-Bug: #1663279
(cherry picked from commit 053ee06787539f6da07985968d6c3b0194e56008)

Add virtual_packages support to norpm provider

The norpm provider is supposed to noop package installs/updates but if a
package name in puppet does not match the installed package, it is being
reported as not installed. The provider then 'installs' it every time
which can trigger unwanted service restarts.

Change-Id: Icdfa6567168f9ecc555489ed67405f98544bd910
Closes-Bug: #1665405
(cherry picked from commit 525a2c379ba2e2433217af2aa78018dfd8cb0b44)

Update .gitreview for stable/ocata

Change-Id: I875c39b838dcb4e99df66bacc190647367836dc7

Merge "tuning: manage keystone resources only at step3"

Add missing release notes for Ocata RC1

Change-Id: I95f7b57a6cb0811af324996bd00580732503ed28

Merge "Make quotes consistent to match the sample config"

tuning: manage keystone resources only at step3

1. Manage Keystone resources only at step 3. Don't verify them
at step 4 and 5, it's a huge loss of time.
2. Don't require Keystone resources for Gnocchi services, they are
already ready at Step 5.

Related-Bug: #1664418
Change-Id: I9879718a1a86b862e5eb97e6f938533c96c9f5c8

Make quotes consistent to match the sample config

Per project conventions, should use single quotes.
Also, update comments and defaults to match sample.

Change-Id: I82ddcec230e7a03965d753db60968912b8d7da5c
Closes-Bug: #1663624

Merge "Add ::ironic::config to Ironic base profile"

Merge "nova: move placement credentials config at step 3"

nova: move placement credentials config at step 3

nova placement credentials in nova.conf need to be configured at step 3
so Nova services can use them as soon as they start.

Change-Id: I0abdd305b7e6c8d83f23e25b3872e98eb56dd299

Uncomment internal TLS options for placement API

Placement API is still running over wsgi which can run with TLS on the
internal network; These options were commented from haproxy and doing
this breaks the TLS-everywhere setup.

Change-Id: I1194f1f487cdcf45541c0d139806aa3dc4456d6e

Merge "Add support to changing the Rabbitmq password on update"

Merge "nova/api: more cleanup"

Merge "Add module to support ScaleIO backend in Cinder"

Merge "Rebranding of Eqlx to Dell EMC PS Series"

Merge "Run nova-cell_v2-discover_hosts at step 5"

nova/api: more cleanup

- transform nova_api_wsgi_enabled in a parameter
- update rspec tests
- fix TLS to run at step 1

Change-Id: I4d3f9c92f0717ae8c3bc8d71065fab281de82008

Run nova-cell_v2-discover_hosts at step 5

We need to run nova-cell_v2-discover_hosts at the very end of the
deployment because nova database needs to be aware of all registred
compute hosts.

1. Move keystone resources management at step 3.
2. Move nova-compute service at step 4.
3. Move nova-placement-api at step 3.
5. Run nova-cell_v2-discover_hosts at step 5 on one nova-api node.
6. Run neutron-ovs-agent at step 5 to avoid racy deployments where
it starts before neutron-server when doing HA deployments.

With that change, we expect Nova aware of all compute services deployed
in TripleO during an initial deployment.

Depends-On: If943157b2b4afeb640919e77ef0214518e13ee15
Change-Id: I6f2df2a83a248fb5dc21c2bd56029eb45b66ceae
Related-Bug: #1663273
Related-Bug: #1663458

Merge "nova: disable API in WSGI by default"

Add module to support ScaleIO backend in Cinder

Also adds an initial spec file for basic testing of the module.

Change-Id: I5534aab53b70de215336a076d25263c73b8d7b5b
Partial-Bug: #1661316

Rebranding of Eqlx to Dell EMC PS Series

This changes rebrands Dell Eqlx to Dell PS series
and matches the tripleo-heat-templates.

Change-Id: I3536147a06b426ace18cf415e99361c47b4cf5d9

start nova-compute when keystone resources are created

1. Move keystone resources management at step 4.
2. Move nova-compute startup at step 5.

That way, we make sure nova-compute will start when all Keystone
resources are ready.

Change-Id: I6e153e11b8519254d2a67b9142bf774a25bce69d
Closes-Bug: #1663273

nova: disable API in WSGI by default

Cleanup patch once the THT patch is merged.

Change-Id: Iba439a4758a4728197d7620b764a4f0f2648ee0f
Depends-On: I09b73476762593642a0e011f83f0233de68f2c33

Disable midonet unit tests

'https://github.com/midonet/puppet-midonet' doesn't exist anymore, we
need to migrate to 'https://github.com/openstack/puppet-midonet' but
tests will fail.

We need to work with Midokura to get them fixed. In the meantime, let's
disable it.

Change-Id: Id39bc5a8cd229df3e9b597a0a0f3eada838f4953

Merge "Proxy API endpoints that UI uses"

Merge "nova/libvirt: switch vnc server binding"

nova/libvirt: switch vnc server binding

On compute nodes, instead of binding vnc server on 0.0.0.0, use the IP
address provided by libvirt's t-h-t profile (hiera).

Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Depends-On: Ie377c09734e9f6170daa519aed69c53fc67c366b
Change-Id: If6b116b238a52144aad5e76c9edc7df6aa15313c
Closes-Bug: #1660099

Stop deploying Nova API in WSGI with Apache

It was suggested by Nova team to not deploying Nova API in WSGI with
Apache in production.
It's causing some issues that we didn't catch until now (see in the bug
report). Until we figure out what was wrong, let's disable it so we can
move forward in the upgrade process.

Related-Bug: 1661360

Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: Ia87b5bdea79e500ed41c30beb9aa9d6be302e3ac

Merge "Revert "Revert "set innodb_file_per_table to ON for MySQL / Galera"""

Add ::ironic::config to Ironic base profile

I have ExtraConfig settings that need to be set in
ironic.conf. Adding the ::ironic::config module
to our base Ironic profile should allow users to
customize Ironic if needed.

Change-Id: I93e9b3b5d4def1d8fa42b77b611b7d9d6cb7963b

Proxy API endpoints that UI uses

Add support to enable the UI to use paths via mod_proxy to access API
endpoints instead of connecting to each endpoint directly on a port
other than where the UI is served from. This is necessary to prevent
certificate acceptance errors from non-Chrome browsers which take
exception to connections made to other ports on the same hostname, using
one SSL certificate.

This change extends the UI's Apache configuration to create one
mod_proxy location for each of the API endpoints that UI calls upon.
These mod_proxy (using ProxyPass, ProxyPassReverse) endpoints are
configured using new heira variables provided in the dependent commit.

Additionally, this change modifies the default UI configuration file to
include endpoint URLs formatted to use the new endpoint paths that are
created.

Removed puppet variables which were previously used to generate the
contents of the tripleo_ui_config.js template, since they are no longer
used to generate this file, replaced with the new endpoint URLs
formatted to use the new endpoint paths that are created.

Change-Id: I55e375ad462fa98e181277ec0bd88658e620e8ad
Implements: blueprint proxy-undercloud-api-services
Depends-On: Ib20f4b0891563ae90ec80675635a64c39bd2fdb7

Revert "Revert "set innodb_file_per_table to ON for MySQL / Galera""

This reverts commit 3f7e74ab24bb43f9ad7e24e0efd4206ac6a3dd4e.

After identifying how to workaround the performance issues on the
undercloud, let's put this back in. Enabling innodb_file_per_table is
important for operators to be able to better manage their databases.

Change-Id: I435de381a0f0e3ef221e498f442335cdce3fb818
Depends-On: I77507c638237072e38d9888aff3da884aeff0b59
Closes-Bug: #1660722

Add support to changing the Rabbitmq password on update

Rabbitmq Password is set on the fresh deployment, but during
update, if the password is changed, it is modified in all config
files including rabbitmq config. But the rabbitmq connection fails
because the new password is not successful applied to rabbitmq.
Setting the rabbitmq_user will invoke 'rabbitmqctl change_password'.

Scenario: The password change is applied on Step1 when configuring
Rabbitmq. Other services may be updated on different Steps. Till
other services config is updated with new rabbitmq password, and
restarted, the connections will get Access Denied response. It has
cyclic dependency. So the passwords will be changes at Step1 and
once all services are updated, the connections will work as is.

Partial-Bug: #1611704
Change-Id: I44865af3d5eb2d37eb648ac7227277e86c8fbc54

Merge "Use transport_url for rabbitmq connection parameters in heat"

Merge "Add initial profiles for rest of Octavia services"

Merge "add cache to object-expirer pipeline"

Merge "Delete the unnecessary word in numvfs_persistence.pp"

Merge "Fix style nits in contrail manifests"

Revert "set innodb_file_per_table to ON for MySQL / Galera"

This reverts commit 621ea892a299d2029348db2b56fea1338bd41c48.

We're getting performance problems on SATA disks.

Change-Id: I30312fd5ca3405694d57e6a4ff98b490de388b92
Closes-Bug: #1661396
Related-Bug: #1660722

Prepare 6.2.0 release

6.2.0 will be Ocata RC1.

Change-Id: Ie26ab89ea9c90f6c5d01697459855fd8c32b075f